Saudi Central Bank Systems Said to Be Struck by Iran Malware

State-sponsored hackers who unleashed a digital bomb in key parts of Saudi Arabia’s computer networks over the last two weeks damaged systems at the country’s central bank, known as the Saudi Arabian Monetary Agency, according to two people briefed on an ongoing investigation of the breach.

The central bank said in a statement late Friday that its systems hadn’t been breached and that it has continuous surveillance to protect against cyberthreats.

The attacks, which afflicted at least eight government entities, used a computer-killing malware known as Shamoon that is linked to Iran, the two people said. They had the potential to inflict damage on targets across several critical sectors, including finance and transportation.

The investigation is still in its early stages and the determination of responsibility could change, the two people said. The number of entities where damage occurred is likely to grow as the probe continues, a third said.

Iranian officials didn’t respond to repeated requests for comment on the attack. Calls placed to the Saudi Interior Ministry about the targeting of the country’s central bank weren’t returned.

Central Bank Hits

The monetary agency joins the ranks of central banks that have suffered digital attacks in the past year. Russia’s central bank said Friday that hackers have stolen more than 2 billion rubles — a little more than $30 million at current rates — from correspondent accounts at there and from client accounts at Russian banks, without specifying the breakdown. In February, hackers stole $81 million by manipulating the international payment system at the central bank in Bangladesh.

Along with the General Authority of Civil Aviation, which runs Saudi airports, the hackers also hit the Ministry of Transportation, which oversees the kingdom’s road network, one of the people said.

The central bank is a most sensitive target. It manages the kingdom’s foreign-exchange reserves, supervises commercial banks, and runs the country’s electronic-payments system.

It’s unclear what part of the central bank’s information systems were damaged in the attack. There haven’t been reports of outages in the electronic-payments system or other parts of the banking sector.

Burning Flag

The Shamoon malware used in the attacks is the same one that was used in a devastating attack on Saudi Aramco in 2012 that destroyed 35,000 computers within hours. U.S. officials have said Iran was behind that attack.

Although hackers usually add enhancements to malware to advance its capabilities and make it harder to detect, in this case they used the same file as in the Aramco incident, the people familiar with the investigation said. The malware, which overwrites the master boot record of a computer, rendering it inoperable, has destroyed thousands of computers across multiple government agencies, two people familiar with the probe said.

The software that destroyed the Aramco computers four years ago was programmed to leave an image of a burning American flag before making the computer inoperable. In this attack, the software displayed an image of Alan Kurdi, the three-year-old Syrian boy who drowned fleeing the conflict in Syria, said Dmitri Alperovitch, chief technology officer at the security firm Crowdstrike, whose team has examined the malware.